How The Google Search Appliance uses Kerberos to Authenticate Users and to Authorize Users to See Content

Introduction

This document shows what happens when a user does a secure search using Kerberos on the Google Search Appliance. There are two components to a secure search on the Google Search Appliance. First the Google Search Appliance authenticates the user, and then it authorizes each individual search result for the user. The individual HTTP and Kerberos transactions for the authentication and authorization using Kerberos are described in detail below. Also there is a larger diagram that shows the complete sequence of transactions when doing a secure search using Kerberos. This document assumes that the steps listed in the Kerberos authentication setup have been taken to configure Kerberos for the GSA and the user's browser.

In the diagrams that follow, the red lines show the HTTP protocol between the client browser, the Google Search Appliance and the secure content server. The lines in green dashes show the Kerberos traffic between the systems. The HTTP header trace is also displayed for all instances of HTTP traffic.

For a detailed description how Kerberos works see the Kerberos references.

Google Search Appliance authentication using Kerberos

Note: In this example assume that the user doing the secure search is YOURDOMAIN\user1. Where "user1" is the user's login and "YOURDOMAIN" is the user's Kerberos realm.




  1. The user performs a secure search using his or her browser on the Google Search Appliance. Since the Google Search Appliance is configured to serve secure results using Kerberos, the Google Search Appliance will respond back to the user's browser with an HTTP 401 WWW-Authenticate: Negotiate header. This header tells the user's browser that it can use Kerberos to authenticate to the Google Search Appliance.

  2. GET /search?q=kerberos&btnG=Google+Search&access=a&oe=UTF-8&ie=UTF-8&sort=date%
    3AD%3AL%3Ad1&client=default_frontend&entqr=0&ud=1&output=xml_no_dtd
    &proxystylesheet=default_frontend HTTP/1.1
    Host: gsa1.yourdomain.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    
    HTTP/1.x 401 Unauthorized
    Connection: Close
    Set-Cookie: GSA_SESSION_ID=05cc29ee2b1ca77fb955438a8e76a3bd
    WWW-Authenticate: Negotiate
    WWW-Authenticate: NTLM
    WWW-Authenticate: Realm="YOURDOMAIN.COM"
    Content-Type: text/html
    Content-Length: 87
    

  3. The user's computer requests a service ticket for the Google Search Appliance from the Kerberos Key Distribution Center (KDC). Since the Google Search Appliance has been registered in the KDC, the KDC will return a service ticket for the Google Search Appliance to the user's computer. In a Windows environment the KDC is usually the domain controller. If the fully qualified hostname for the Google Search Appliance is gsa1.yourdomain.com, the ticket issued for the service by the KDC will be for a Service Principle Name (SPN) like HTTP/gsa1.yourdomain.com (signifying the HTTP protocol for the system gsa1.yourdomain.com).

  4. The user's browser submits the secure search request again, but this time with the encrypted Kerberos token in the Authorization: Negotiate HTTP header. The Google Search Appliance will decode the Kerberos token completing the authentication of user. Once the authentication is complete, the Google Search Appliance gathers results for the user's search query.

  5. GET /search?q=kerberos&btnG=Google+Search&access=a&oe=UTF-8&ie=UTF-8&sort=date
    %3AD%3AL%3Ad1&client=default_frontend&entqr=0&ud=1&output=xml_no_dtd
    &proxystylesheet=default_frontend HTTP/1.1
    Host: gsa1.yourdomain.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Authorization: Negotiate YIIKogYGKwYBBQUCoIIKljCCCpKgJDAiBgkqhkiC9xIBAgI
    GCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCCmgEggpkYIIKYAYJKoZIhvcSAQICAQBuggpPMIIKS6ADAg
    EFoQMCAQ6iBwMFACAAAACjggRXYYIEUzCCBE+gAwIBBaEPGw1FU09ET01BSU4uQ09NoiUwI6ADAgECo
    RwwGhsESFRUUBsSZ3NhMS5lc29kb21haW4uY29to4IEDjCCBAqgAwIBA6EDAgEMooID/ASCA/jSMGzx
    EoKacqRcAbwMnEe8eS2xkvKLCii9IiiTHdZNYCyB/vvMJAOeiexKZvQUJoJ4dDnARMnfUrpM1zhVBzZ
    TuVu3Pin1ektYoBV+b+EP4P6GlfvqYq7unXeoteCE28Xa7OL02VKu1GSoUtP9Ivxe8TRXeJPF4Jtglz
    EyREdMxIvsCOTH4ki7gnBd22BL1GkMFr5Oidq2zcw1moFeRq5fRvZFGq1uxWMUKReDzejeEcWooBt6h
    5AndTtP4+fdHUr/VSfyIrtn2bAAenkpx2rADQkctHTL0WJ7DLeQpB0EBf1CqgmSnbXoJYqWeG+ht98a
    Nla3senEZhGZXFOwqLIt2QRQbKMom8LlvdOrnDpSVuAc9Q1qs0xkzJ8J8aXeTmlFrY6bItqJ2T/9Mei
    b5d3Ftdn6nPDveiCWB0WWk8hhRJHmBidoXRsJasibscra3t0lXDywYt+HON6HSaT1Q79w3xC9e86va/
    rUyYhNZA8+pCTfAhqteblGedkyhrud+/8YLZTcdsMl1EXqnU+aji5r3g2SI1ZassUZ235cCsJcDj0Jp
    CBp8QRMLoSUybDgzceyqRSWjvpxg7CmVJevpDFEE9UFfZFxCeRhZIdHRDjySV7U349Hyz2dgbyk3uzB
    +5Z++bGhcUZWsGRkUkNg3LN+CmFj/H1dyhqQFETtVmhK/WKb2IQCjy/XteTCZEpAj4urSXco+O5yDm0
    MCz9k1tfFEzpKkxukOrwdZIO8LwEsgy5AyRr7Z29ozbMSWq2nTDQz4nyqGeH/se8a4aO/2092ZdKfpc
    AhXeChgJnXm08bQNcCsP8J9+Q4runca6b//ca8P2S9nDNzQowiiIcOix7i0OhHuXVjUEtx0zbXS6Cpl
    +jU2Jey+BK2QyMklvi0YwBvAU2tURZVYCh4sC6FsMV0y4oc8dWpYpnmeXHm42v75+Fs5LnjwgEGsU=
    

Google Search Appliance authorization using Kerberos

Note: This section starts where the previous authentication step left off with the Google Search Appliance gathering results that match the user's secure query. Before returning a result to the user, the Google Search Appliance needs to verify if the user is allowed to view the result. For this example assume the Google Search Appliance found http://iis.yourdomain.com/kerberos/test.html as result for the user's secure query. Also assume again that the user doing the search is YOURDOMAIN\user1 where "user1" is the user's login and "YOURDOMAIN" is the user's Kerberos realm.





  1. The Google Search Appliance requests a Kerberos service ticket for the SPN HTTP/iis.yourdomain.com on behalf of the user, YOURDOMAIN\user1. The Google Search Appliance is allowed to acquire a ticket on behalf of the user, because the Google Search Appliance's user account was trusted for delegation when its user account was setup.

  2. The Google Search Appliance makes a HTTP HEAD request to http://iis.yourdomain.com/kerberos/test.html, impersonating the user YOURDOMAIN\user1. The Google Search Appliance impersonates the user by using its service ticket (which it received in the previous step) to generate a HTTP WWW-Authenticate: Negotiateheader. This header is then placed in the HEAD request and sent to the content server. See the HEAD requester document for additional info on how the Google Search Appliance's headrequestor works.

    The content server iis.yourdomain.com receives the HTTP HEAD request and decodes the WWW-Authenticate : Negotiate header. From decoding the header, the content server knows the identity of the user: YOURDOMAIN\user1. The content server checks its access control list (ACL) to determine if YOURDOMAIN\user1 is authorized to view the url http://iis.yourdomain.com/kerberos/test.html. If authorized, the content server returns a 200 HTTP response code to the Google Search Appliance, and the Google Search Appliance marks the URL as permit for the user. If the user is not authorized to view the content, the content server returns a non-200 response to the Google Search Appliance, and the Google Search Appliance will mark the URL as deny for the user. This step is repeated for each result. In the trace below the content server returns a 200 response.


  3. HEAD /kerberos/test.html HTTP/1.1
    Host: iis.yourdomain.com
    Connection: Keep-Alive
    User-Agent: gsa-crawler
    Authorization: Negotiate YIIFRwYGKwYBBQUCoIIFOzCCBTegDTALBgkqhkiG9xIBAgKiggUkBI
    IFIGCCBRwGCSqGSIb3EgECAgEAboIFCzCCBQegAwIBBaEDAgEOogcDBQAAAAAAo4IEHWGCBBkwggQVo
    AMCAQWhDxsNRVNPRE9NQUlOLkNPTaIkMCKgAwIBAaEbMBkbBEhUVFAbEWlpcy5lc29kb21haW4uY29t
    o4ID1TCCA9GgAwIBEqEDAgEHooIDwwSCA78nCMX0i1cfKsvmU2az0o8AltwZKdersouikRauuvMxEEV
    p8aqckkf/loC12bh2XfHqUnCJbj8yfPJPRiexC+8Lck+r8C6PSG/Oq8OKbOjpx1aFBFEKxbw4+WdxPN
    8AzK1AR5bfRkTMGF0c73UF1uiWvgaBVHy27zhb8fwWx/y6ufKDZJ2jnf65lGEfEmoS6nMC0KEpEWyrk
    rQ/NDbhDPbvCe2blqNJ1Ibw+DsryarO/5eyRxoOUdaAOdc8w8mWlLk+3e6IhFzFLH/ewjy7y6TrhRtH
    9mamhZxwz5/n2+ormg+z2i7oItrf9oZMNTEet1PDWWmdnfe10emF+kfrK8prmwJkSaHpaP5sEYHzgWY
    pAMyCAV4gITx9+qn3JLqX3Gk33/DMBBBIrW5KWh50j36Y3x7Nu9B67w4r+SRn5L+AwAVGe27trqydBc
    uVvc7bTfx8N9NjwR5f6dNkapTIcb7hKPsezsApWvkY53ZfI5bXjbLh8S4Npg8W6226kzbVUWfb76f6X
    HWQdNWanemlj7NQrcKNTkQU3u/cKk8LC8lOU8mhnA30aaXw3+odcy1/B7I7bej4oby74EXELQpqU747
    iYZBApP1Ph6XTV+714YSkLRdRR0uuhSG2f8iG+6F49XNiyQ4Sw9ti2RnCrNpXxAAavZulIJHN7Y+1Dp
    zx+uz9fAZC6/MfkZbEgvW/9RB6yVBif0Gn0ghxC/WyY4ZqAmWnGoM28IIR55iDuL/KV3Oqz1OHntoW4
    Szlgiyfg8+0FNmpmlUxNORPX7QGHwM110DweGIpWS4byZQGPtUU1IE1bLJ54kmDn2AnxT2MRoLgh1z6
    6UxER70ZLS5MRANH3SaYJ17GpebVCw0cTgIX0X/ySQ2bqYUaPNLHuOqYKTCOB1ZhyEyaM6jTZ9yWHvd
    bBZdIdDriADtFSlnAg9RwTSk5Iitep6xdYdkE6Lur1eGL/rsh9wwec05f3wKgoi/pVd5JHoytet8Nxb
    8R7MCMqSuKTX7DJ2YnPSUVNU7hTN2YM803hnM06AV1WhliOx+hFaOvSf9BVH994nSNe7JbZTQayiU+Z
    qb9cWE7kKeFLIGoOYQFv8AVx0d2DILrDCTrTmjlBAY6zHXg8YSSAdDbBpQ2r/j+6DWl2FANUMvGRNlD
    EuhB1DutzMJArzfr/xKi4Qy6M3VVW2Se2ejS+GYO4s8lICQIgk3SRWOCRxscQadeJtkLH3VBWPB4Rcm
    VU/mVEWObLyXd9yPiYJGaS+tJOIDyc2k7ZDTvr52z/NNM80986SB0DCBzaADAgESooHFBIHCV86AW8f
    nKEBazwhXQHQ7ojuuWRnyBmHSeJWTZLgE62rQFWhwcEBS4wNYsuxL8zvnqmBsMviSBFUuM0d8qwWhAh
    UXD8oTEalPJoXOWzc1YvdYC+8GMfXwFVPS99o7z561HKlaTxbRiwAEJqHIWY8yQgEW4tKstDtqNU5+L
    3AwOWXhf4mRngFb6aQJ5gFJ51A6D8i2mF09jIgqY4M38qOV718321hfjch2+aW00ggbl4o3qalTjN63
    E9Dcnl3vj076LPI=
    
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Length: 819
    Content-Type: text/html
    Server: Microsoft-IIS/7.0
    Connection: close
    

  4. The Google Search Appliance returns all the results that were marked as permit in the previous step to YOURDOMAIN\user1's browser.

  5. HTTP/1.x 200 OK
    Connection: Close
    Cache-Control: private
    Content-Type: text/html
    Server: GWS/2.1
    Date: Thu, 04 Dec 2008 01:11:46 GMT
    Content-Length: 13074
    
 

Complete Google Search Appliance secure search using Kerberos

This is the complete HTTP and Kerberos data transaction diagram when doing a secure search on the Google Search Appliance using Kerberos. This is essentially the same diagram that was shown previously without description for each step. Additionally this diagram shows the Google Search Appliance authorizing for an additional URL, and the diagram shows the data transaction when the user clicks on a search result.

Assume again that the user is YOURDOMAIN\user1 and in this case assume that the Google Search Appliance returns two results http://iis.yourdomain.com/kerberos/test.htmland http://sharepoint.yourdomain.com/kerberos/test.html 

Kerberos references

Was this helpful?
How can we improve it?